The Pitterrorist and Security Theater

Back in February, the University of Pittsburgh started receiving bomb threats, scrawled on the inside of stalls in the men’s bathroom in a particular building. Campus police (an actual police force – not just security guards) evacuated the threatened buildings, searched with bomb-sniffing dogs, and then eventually allowed everybody back in. The would-be bomber has threatened both dormitories and academic buildings, including the 35-story Cathedral of Learning and (recently) the campus library.

Fed up with continued threats, the university removed the stall doors – from that specific bathroom.

Apparently furious at having to poop without any privacy, the bomb-threatener (who I hereby dub the Pitterrorist) began sending similar threats via email, both to local media and to campus police, using foreign remailing services to disguise the origin of the messages.

In the past week or two, the university has received more than two dozen individual threats (update 4/12: they’re up to a total of 79), sometimes several a day, against most of the buildings on campus. Classes have been disrupted and canceled, employees have work piling up on their desks, and concerned parents have begun withdrawing a few students from the school. Makeup classes will probably take place on weekends, which will be generally inconvenient (and possibly costly) for all involved. If class time cannot be replaced, or if students are afraid to be on campus, the school has offered to work with students to ensure that they still get credit for the semester.

All of this is being done at phenomenal expense and inconvenience for all involved. Frankly, it pretty much sucks to be a Pitt student or employee right now.

The university has offered a $50,000 reward for any information leading to the arrest of the Pitterrorist, along with several sternly worded letters urging him to stop, but no public leads have been revealed at this point. The FBI and US attorney general’s office are involved in the investigation, but nobody has publicly released any progress made, except to note that one of the remailers was in Austria and that the guy isn’t necessarily a sophisticated hacker.

What interests me as a security professional is the general disruption the threats have caused. The Pitterrorist doesn’t seem to be particularly interested in actually igniting explosives anywhere. He’s more interested in the expensive chaos caused by evacuating hundreds or thousands of students in a 35-story classroom building or a 15-story dormitory. Investigators have speculated that he’s probably present on campus, perhaps in the areas being evacuated, so he can enjoy the chaos he’s caused. In this sense, he’s the real-life equivalent of hacktivist organization Anonymous, who delight in simply causing chaos “for the lulz”. That he’s using an Internet service to cause the chaos adds to the parallel.

This is a significant event, maybe a first in the United States.

A single person, possibly a college student, is successfully disrupting tens of thousands of students, hundreds or thousands of professors and researchers, and potentially costing everybody millions of dollars in lost class time, lost work time, and extra law enforcement. He’s drawing campus police resources away the other (now less safe) buildings on campus. He’s forcing classes outside and online. He’s shortening workdays for some employees and extending work hours for others. Students are almost certainly performing more poorly in classes because of the disruptions and the general anxiety that comes with repeated threats against your life.

And he’ s doing this by sending threatening emails, an activity that takes almost no effort, which he can probably do from his smartphone, and which he may even be able to schedule to send automatically at a particular time. He’s apparently been able to successfully stymie the best and brightest of United States law enforcement for at least a week and a half, simply by using the same technology foreign spammers use to advertise \/1agr4.

If Pitt was a website, we would probably call this a denial-of-service attack. The Pitterrorist is successfully launching a real-life DDoS against a world-class research university.

And if he continues to do it, and they continue to respond in the same way, he could potentially force a major university to shutter its physical doors.

By sending emails.

While I sympathize with the concerns of law enforcement, the students, and the employees, I think Pitt has responded to the threats in exactly the wrong way.

The university has gone into lockdown mode. Police will search and secure each building in turn, and then ban all bags, backpacks, and packages from the now-secured buildings. (Update 4/9: Bags are not banned entirely, but will be searched on entrance.) University IDs will be checked (possibly scanned) to allow entry. Non-students will not be allowed in the dormitories. Threatened buildings will still be evacuated as before, but the police claim that the added security measures will assist in clearing and reopening the buildings. So classes and jobs will still be disrupted – but maybe not as much.

“As we begin to experience escalated evacuations, we have decided to take next steps to heighten security measures on our campus. Beginning tomorrow, the University will limit access to buildings once they have been swept and cleared. Not all buildings will have limited access immediately, but over the next few days we expect this will extend to all buildings.”

“Please make sure you arrive to your building earlier than your usual arrival time to accommodate this necessary security step. We will continue to evacuate and sweep buildings when threats are received but these additional security measures will reduce the amount of time needed to clear and reopen the buildings.”

It’s hard to imagine what this will accomplish.

As I noted before, the Pitterrorist doesn’t actually seem interested in bombing anybody. It’s hard to imagine what the spate of threats could accomplish if actually hurting someone was his ultimate goal. If he intended to blow up the interior of a Pitt building, he’s now made things harder for himself. But if his goal was to make general campus operations more difficult for Pitt students and employees, well, it worked.

By setting up a blockade at the entrance to academic buildings, by making students enter the building through a single door, in a single line, the Pitterrorist has actually accomplished his only apparent goal. Classes will necessarily be shorter as students need to wait in lines to enter buildings. Without a bag to contain school supplies, walking with a simple notebook across campus on a rainy day will be very inconvenient and potentially impossible. Since the police plan to evacuate buildings anyway, it’s also not clear that the added security does anything but make securing the campus more expensive. It’s not clear to me whether students will be able to enter secured dorms with their belongings or whether laptop computers are included in the ban, but both could be used to circumvent the security.

I think this response is a fantastic example of what Bruce Schneier calls “security theater”. The police are deployed to respond to a specific tactic that can easily be changed. The campus officials can ensure parents that they’re doing everything in their power to protect students from the very unlikely threat of a guy sending emails. Everybody looks busy. They’re frightened for their lives, so they have to do something. Anything.

Meanwhile, the cost of this security effort, apart from the added law enforcement to guard the doorways, will be primarily borne by the students – in the form of lower grades, poorer classes, and added stress.

Fortunately, Pitt only has a couple more weeks of classes, so any security measures are going to be temporary – for students, anyhow. It’ll be interesting to see whether the problems continue after students have left the campus for the summer.

So my serious questions for readers are this:

What is an adequate response to the Pitterrorist? How can the university respond to the threat without significant disruption? (Difficulty: The university needs to both reassure parents and also ensure that campus operations continue smoothly.)

What could be his motivation for this bizarre real-life denial-of-service attack? I’ve heard a lot of creative options, but I’m curious what anybody reading this thinks.

Personally, I’d be curious to see what the Pitterrorist would do if their IT department blocked all emails originating from foreign IPs for a couple days.

(And seriously, if you know something about this, even just a rumor or a hallway whisper, don’t be a jackass. Tell somebody. From their website: “Any witness who was in the areas on the dates and at the times of the threats and observed these threats being made or with information about who made these threats is urged to contact the University of Pittsburgh Police Department, 412-624-2121 or by email at police@pitt.edu.“)